Looking for answers on Microsoft’s COFEE device

Today’s story on a Microsoft device that helps law enforcement gather forensic evidence from a crime suspect’s computer has garneredlots of attention and raised questions about how exactly it works and what it’s able to do. Update, 5:10 p.m. I just got a response from Microsoft. See the end of the post.

I’ve received calls and emails from law enforcement officials — ranging from Amtrak’s Office of Inspector General to a U.S. Army cybercrime investigator to the Citrus County, Florida, Sheriff’s Office — all wanting to know how they can get their hands on the device.

Other readers have wondered about the implications of the device for civil liberties and Windows security. There is also concern the device could fall into the hands of criminals (who, I’d add, would also have to gain physical access to a computer to do harm with it) or that something similar could be developed.

A reader from Snohomish County writes, “a little usb device cannot break encrypted info (passwords) — unless microsoft has built a back door into its computers — it seems. i have worked with encryption software before — stuff it would take NSA a month to crack — so how does MS do it in minutes?”

Others have dismissed the idea that this is even news. A reader writes:

“Have you heard of this? Nearly every American home has been infiltrated with a device that allows complete strangers to talk to and gain the confidence of your children. These criminals then indulge in rampant child abuse! The device? The telephone. I say we need a bureau whose job it is to listen in on each and every ‘telephone’ conversation in order to thwart these insidious criminals. And I think the Seattle Times should run a lengthy series exposing the dangers of this pernicious technology.”

I’m trying to get answers from Microsoft on how the Computer Online Forensic Evidence Extractor actually works. I’ll update this post when I hear back from Microsoft.

In the meantime, here are some other details that didn’t make it into today’s story:

Brad Smith, Microsoft’s general counsel, described COFEE in an interview.

“It’s basically a thumb drive that is like a Swiss army knife for law enforcement officials that are investigating computer crimes. If you’re a law enforcement official and let’s say you have access to a computer that might be used, for example, by a child predator, a lot of times they have information on their hard disk that’s encrypted, and you’ve got that information off in order to have a successful investigation and prosecution.

“In the past, people would have to literally unplug the computer, they would lose whatever was in RAM. They’d have to transport it somewhere else, and it would take at least four hours, often more to get at the heart of the information.”

The device can get that job done in as little as 20 minutes, Smith said.

“With this tool, they can just plug it into the computer, wherever it’s located. They don’t have to turn off the power. It has over 150 different technology tools that law enforcement officers can use to analyze data, to get access to passwords, to obtain the information typically that people need to successfully prosecute a crime.”

COFEE can also be customized with additional tools and commands.

It was developed by Anthony Fung, a senior investigator on Microsoft’s Internet Safety Enforcement Team. Fung, formerly a Hong Kong police officer, joined Microsoft four years ago.

It sounds to me like the device doesn’t do anything that a trained computer forensics expert can’t already do. This just automates the execution of the commands for data extraction. Check later for updates.

Update: Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as “password security auditing technologies” used to access information “on a live Windows system.” She cited rainbow tables as an example of other such tools, and “was NOT confirming that COFEE includes Rainbow Tables.”

It “does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret ‘backdoors’ or other undocumented means.”

Further, she reiterated that the tool is intended for use “by law enforcement only with proper legal authority.”

Another update: This from Tim Cranton, associate general counsel at Microsoft: “The key to COFEE is not new forensic tools, but rather the creation of an easy to use, automated forensic tool at the scene. It’s the ease of use, speed, and consistency of evidence extraction that is key.”

About

Welcome to Microsoft Pri0: That's Microspeak for top priority, and that's the news and observations you'll find here from Seattle Times technology reporter Matt Day. Send tips or comments to mday@seattletimes.com.